[Samba] Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM
Stephen
stephen at ogdenradar.com
Fri Mar 22 17:39:02 UTC 2019
Rowland - good news - the instructions in that document you suggested
appear to have made all the difference!
Now I find that if I do:
pi at ad2:~ $ sudo systemctl restart samba-ad-dc
pi at ad2:~ $ sudo samba-tool drs showrepl
Default-First-Site-Name\AD2
DSA Options: 0x00000001
DSA object GUID: e676dfc3-670d-46bb-b1f7-756bae990a30
DSA invocationId: b7fb9a73-a5c5-4672-9d0f-83e0323f9f3b
==== INBOUND NEIGHBORS ====
CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\AD1 via RPC
DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
Last attempt @ Fri Mar 22 17:11:56 2019 GMT was successful
0 consecutive failure(s).
Last success @ Fri Mar 22 17:11:56 2019 GMT
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\AD1 via RPC
DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
Last attempt @ Fri Mar 22 17:11:55 2019 GMT was successful
0 consecutive failure(s).
Last success @ Fri Mar 22 17:11:55 2019 GMT
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\AD1 via RPC
DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
Last attempt @ Fri Mar 22 17:11:57 2019 GMT was successful
0 consecutive failure(s).
Last success @ Fri Mar 22 17:11:57 2019 GMT
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\AD1 via RPC
DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
Last attempt @ Fri Mar 22 17:11:56 2019 GMT was successful
0 consecutive failure(s).
Last success @ Fri Mar 22 17:11:56 2019 GMT
DC=samdom,DC=example,DC=com
Default-First-Site-Name\AD1 via RPC
DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
Last attempt @ Fri Mar 22 17:11:57 2019 GMT was successful
0 consecutive failure(s).
Last success @ Fri Mar 22 17:11:57 2019 GMT
==== OUTBOUND NEIGHBORS ====
CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\AD1 via RPC
DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\AD1 via RPC
DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
Last attempt @ Fri Mar 22 17:11:46 2019 GMT was successful
0 consecutive failure(s).
Last success @ Fri Mar 22 17:11:46 2019 GMT
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
Default-First-Site-Name\AD1 via RPC
DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
Default-First-Site-Name\AD1 via RPC
DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=samdom,DC=example,DC=com
Default-First-Site-Name\AD1 via RPC
DSA object GUID: a021ecef-e1f1-41ea-9787-9c3678f25e4a
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: c2f83b11-0d06-41d3-b6c1-438ae935852c
Enabled : TRUE
Server DNS name : ad1.samdom.example.com
Server DN name : CN=NTDS
Settings,CN=AD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Notice now crucially that the *outbound section here in this output is
now fully completed whereas it was empty previously*. My manual testing
suggests that newly created accounts replicate from ad2 to ad1 following
this change successfully.
It looks like later versions of Samba setup these additional CNAME DNS
records behind the scenes whereas 4.5 on my Pi seems to requires these
additional incantations and goat sacrifice to make things work
successfully. C`est la vie.
Happily, the change you have suggested there also appears to have also
cascaded to the AD SRV records on both DCs which was the other question
I was going to ask.
pi at ad1:~ $ host -t SRV _kerberos._udp.samdom.example.com
_kerberos._udp.samdom.example.com has SRV record 0 100 88
ad1.samdom.example.com.
_kerberos._udp.samdom.example.com has SRV record 0 100 88
ad2.samdom.example.com.
pi at ad1:~ $ host -t SRV _ldap._tcp.samdom.example.com
_ldap._tcp.samdom.example.com has SRV record 0 100 389
ad1.samdom.example.com.
_ldap._tcp.samdom.example.com has SRV record 0 100 389
ad2.samdom.example.com.
Thanks once again for your help its very much appreciated!
Kind Regards
Stephen Ellwood
More information about the samba
mailing list